Commit Graph

18 Commits

Author SHA1 Message Date
Brad Fitzpatrick d3efe8caf6 safesocket, ipn/ipnserver: look up peer creds on Darwin
And open up socket permissions like Linux, now that we know who
connections are from.

This uses the new inet.af/peercred that supports Linux and Darwin at
the moment.

Fixes #1347
Fixes #1348

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-02-16 20:38:44 -08:00
Brad Fitzpatrick dec01ef22b safesocket: make ConnectDefault use paths pkg, fixing tailscaled-on-macOS
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-02-15 11:33:12 -08:00
Brad Fitzpatrick bbb4631e04 safesocket, wgengine: add some darwin failure diagnostic hints 2021-02-15 08:40:52 -08:00
Brad Fitzpatrick 914a486af6 safesocket: refactor macOS auth code, pull out separate LocalTCPPortAndToken 2021-01-29 14:34:57 -08:00
Brad Fitzpatrick 60e189f699 cmd/hello: use safesocket client to connect 2021-01-29 13:49:17 -08:00
Brad Fitzpatrick 54d0d83b67 safesocket: on Linux, make /var/run/tailscale be 0755
Continuation of earlier two umask changes,
5611f290eb and
d6e9fb1df0.

This change mostly affects us, running tailscaled as root by hand (wit
a umask of 0077), not under systemd. End users running tailscaled
under systemd won't have a umask.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-01-21 13:23:14 -08:00
Brad Fitzpatrick 5611f290eb ipn, ipnserver: only require sudo on Linux for mutable CLI actions
This partially reverts d6e9fb1df0, which modified the permissions
on the tailscaled Unix socket and thus required "sudo tailscale" even
for "tailscale status".

Instead, open the permissions back up (on Linux only) but have the
server look at the peer creds and only permit read-only actions unless
you're root.

In the future we'll also have a group that can do mutable actions.

On OpenBSD and FreeBSD, the permissions on the socket remain locked
down to 0600 from d6e9fb1df0.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-01-15 10:13:00 -08:00
Brad Fitzpatrick d6e9fb1df0 all: adjust Unix permissions for those without umasks
Fixes tailscale/corp#1165

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-01-11 19:24:41 -08:00
Brad Fitzpatrick d8e67ca2ab safesocket: gofmt
gofmt differences between versions :(
2020-07-20 14:40:19 -07:00
Brad Fitzpatrick f562c35c0d safesocket: support connecting to Mac TCP server from within App Sandbox 2020-07-20 14:23:50 -07:00
Brad Fitzpatrick 5362e952e1 safesocket: gofmt
Was developed on a random machine without my normal environment.
2020-03-30 11:23:18 -07:00
Brad Fitzpatrick fee2d9fad4 safesocket: connect to the macOS network extension on darwin (as last resort)
(For cmd/tailscale CLI support on macOS)

Signed-off-by: Brad Fitzpatrick <brad@danga.com>
2020-03-29 22:15:28 -07:00
Brad Fitzpatrick b3d9eab1fe safesocket: make some effort to create parent directory of sock 2020-03-03 11:47:21 -08:00
Brad Fitzpatrick 04e6b77774 safesocket: delete incorrect build tag
Leftover from copying one file to another to create safesocket.go
in the earlier documentation change (29f7d64091).
2020-02-25 09:02:52 -08:00
Brad Fitzpatrick 29f7d64091 safesocket: document
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2020-02-25 08:46:34 -08:00
David Anderson 4460bd638b safesocket: simplify API.
On unix, we want to provide a full path to the desired unix socket.

On windows, currently we want to provide a TCP port, but someday
we'll also provide a "path-ish" object for a named pipe.

For now, simplify the API down to exactly a path and a TCP port.

Signed-off-by: David Anderson <dave@natulte.net>
2020-02-18 12:56:19 -08:00
David Anderson 39bc24cb96 safesocket: make test use testing.T correctly.
Signed-off-by: David Anderson <dave@natulte.net>
2020-02-11 10:28:11 -08:00
Earl Lee a8d8b8719a Move Linux client & common packages into a public repo. 2020-02-09 09:32:57 -08:00